Solved

PIX VPN/XP CLient question.

Posted on 2006-07-03
6
291 Views
Last Modified: 2010-04-12
I have a user who telecommutes from home over VPN.  The problem is - when he's connected to the VPN - he can't browse web pages external to the office network - only internal web sites.  It seems I have had success in the past in VPN Properties/Networking Tab/Internet Protocol (TCP/IP)/Properties button/Advanced Button/check "Use default gateway on remote network".  But this hasn't been a consistent fix...  Any ideas?
0
Comment
Question by:LTWadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 17033992
Which client does he use? PIX supports both Cisco VPN client and the Microsoft PPTP client.
Microsoft client works if you un-check the use default gateway on remote network box, but may break their ability to access internal resources.
Cisco client is totally controlled by the PIX. The network admin would have to enable "split-tunneling" which may or may not be against company policy.
0
 

Author Comment

by:LTWadmin
ID: 17123636
Irmoore -

Thanks.  He's using the the Microsoft PPTP Client in XP Pro.  Is split tunneling a security risk?
0
 
LVL 9

Assisted Solution

by:muff
muff earned 125 total points
ID: 17125961

Split-tunnelling can be a risk because it enables a PC to be connected to untrusted and trusted networks simultaneously.  Untrusted = the internet.

Imagine a piece of malicious software that connected to an attackers site and waited for instructions while the VPN client was connected to the company network.  The user PC could then provide the attacker the same level of access to the company network as the user.

This risk can be mitigated somewhat by ensuring that the users antivirus software is up to date prior to allowing a connection, and limiting what the user can install on their PC.

A more secure alternative that provides the user with access to the web while connected to the company network would be to use a proxy server that is on the company network.  In other words, don't use split-tunnelling at all - web requests would be forwarded to the proxy which would request the web page on the users behalf.

koan
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17126380
Yes, split tunneling is a "HUGE" risk.
Problem with using Microsoft client is that the USER is in full control with one little tick of the box []Use default gateway on remote network. Un-tick it and split-tunneling is enabled.
Cisco VPN client is 100% controlled by the ADMIN
One of the best solutions is to setup a web proxy at HQ, force use of Cisco VPN client and force users to go through the proxy.
The reason that it is not consistent is because of the classful nature of PPTP. It all depends on the class of the IP address assigned to the client and to the remote lan.. I can explain that further if necessary, but it's a lesson in classful IP networks....
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question